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Abstract 

The SL synchronous programming model is a relaxation of the ESTEREL syn- 
chronous model where the reaction to the absence of a signal within an instant can 
only happen at the next instant. In previous work, we have revisited the SL syn- 
chronous programming model. In particular, we have discussed an alternative design 
of the model, introduced a CPS translation to a tail recursive form, and proposed a 
notion of bisimulation equivalence. In the present work, we extend the tail recursive 
model with first-order data types obtaining a non-deterministic synchronous model 
whose complexity is comparable to the one of the vr-calculus. We show that our 
approach to bisimulation equivalence can cope with this extension and in particular 
that labelled bisimulation can be characterised as a contextual bisimulation. 
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1 Introduction 



Concurrent and/or distributed systems are usually classified according to two main pa- 
rameters (see, e.g., [12]): the relative speed of the processes (or threads, or components, 
or nodes) and their interaction mechanism. With respect to the first parameter one refers 
to synchronous, asynchronous, partially synchronous,. . . systems. In particular, in syn- 
chronous systems, there is a notion of instant (or phase, or pulse, or round) and at each 
instant each process performs some actions and synchronizes with all other processes. One 
may say that all processes proceed at the same speed and it is in this specific sense that 
we will refer to synchrony in this work. 

With respect to the second parameter, one considers shared memory, message pass- 
ing, signals, broadcast,. . . Concerning the message passing interaction mechanism, one 
distinguishes various situations according to whether the communication channel includes 
a bounded or unbounded and an ordered or unordered buffer. In particular the situation 
where the buffer has capacity corresponds to a rendez-vous communication mechanism 
which is also called synchronous communication in that it forces a synchronisation. 

The notion of synchrony (in the sense adopted in this work) is a valuable logical concept 
that simplifies the design and analysis of systems. One may verify this claim by consulting 
standard textbooks in concurrent/distributed algorithms such as [201 El] and comparing the 
algorithms for basic problems such as leader election, minimum spanning tree, consensus,. . . 
in the synchronous and asynchronous case. In [20l [M] , the formalisation of the so called 
synchronous network model is quite simple. One assumes a fixed network topology and 
describes the behaviour of each process essentially as an infinite state Moore machine [TSj : 
at each instant, each process, depending on its current state, emits a message on each 
outgoing edge, then it receives a messages from each incoming edge, and computes its 
state for the next instant. 

In this paper, we are looking at the synchronous model from the point of view of 
process calculi. This means in particular, that we are looking for a notion of equivalence 
of synchronous systems with good compositionality properties. The works on SCCS [21] 
and Meije [S] are an early attempt at providing a process calculus representation of the 
synchronous model. SCCS and Meije are built over the same action structure: essentially, 
the free abelian group generated by a set of particulate actions. The models differ in the 
choice of the combinators: SCCS starts with a synchronous parallel composition and then 
adds operators to desynchronise processes while Meije starts with an asynchronous parallel 
composition and then adds operators that allow to synchronise processes. As a matter of 
fact, the SCCS and Meije operators are inter-definable so that the calculi can be regarded 
as two presentations of the same model. 

SCCS/Meije is a simple model with nice mathematical properties but it has failed so 
far to turn into a model for a realistic synchronous programming language. For this reason, 
we will not take the SCCS/Meije model as a starting point, but the synchronous language 
SL introduced in [12]. Threads in the SL model interact through signals as opposed to 
channels. A cooperative scheduling (as opposed to pre-emptive, see [28]) is sometimes 
considered, though this is not quite a compulsory choice and it is not followed here. This 
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style of synchronous and possibly cooperative programming has been advocated as a more 
effective approach to the development of applications such as event-driven controllers, data 
flow architectures, graphical user interfaces, simulations, web services, multi-player games 
(we refer to [2] for a discussion of the applications and implementation techniques). 

The SL model can be regarded as a relaxation of the Esterel model [8] where the 
reaction to the absence of a signal within an instant can only happen at the next instant. 
This design choice avoids some paradoxical situations and simplifies the implementation 
of the model. Unlike the SCCS/Meije model, the SL model has gradually evolved into a 
general purpose programming language for concurrent applications and has been embedded 
in various programming environments such as C, JAVA, SCHEME, and Caml (see [TTl [301 
[33l [2T]). For instance, the Reactive ML language [21] includes a large fragment of the 
Caml language plus primitives to generate signals and synchronise on them. We should 
also mention that related ideas have been developed by Saraswat et al. [32] in the area of 
constraint programming. 

The Meije and the Esterel/SL models were developed in Sophia- Antipolis in the same 
research team, but, as of today, there seems to be no strong positive or negative result on 
the possibility of representing one of the models into the other. Still there are a number 
of features that plead in favour of the Esterel/SL model. First, the shift from channel 
based to signal based communication allows to preserve (to some extent) the determinacy 
of the computation while allowing for multi-point interaction. Second, pure signals, i.e., 
signals carrying no values, as opposed to pure channels, allow for a representation of data in 
binary rather than unary notation. Third, there is a natural generalisation of the calculus 
to include general data types. Fourth, the length of an instant is programmable rather 
than being given in extenso as a finite word of so called particulate actions. Fifth, efficient 
implementations of the model have been developed. 

In the early 80's, the development of the SCCS/Meije model relied on the same mathe- 
matical framework (labelled transition system and bisimulation) that was used for the de- 
velopment of the CCS model. However, the following years have witnessed the development 
of two quite distinct research directions concerned with asynchronous and synchronous pro- 
gramming, respectively. Nowadays, the vr-calculus [22] and its relatives can be regarded as 
typical abstract models of asynchronous concurrent programming while various languages 
such as Lustre [T3], Esterel [8], and SL [12] carry the flag of synchronous programming. 

We remark that while the vr-calculus has inherited many of the techniques developed for 
CCS, the semantic theory of the SL model remains largely underdeveloped. In recent work 
[T], we have revisited the SL synchronous programming model. In particular, we have dis- 
cussed an alternative design of the model, introduced a CPS translation to a tail recursive 
form, and proposed a novel notion of bisimulation equivalence with good compositional- 
ity properties. The original SL language as well as the revised one assume that signals 
are pure in the sense that they carry no value. Then computations are naturally deter- 
ministic and bisimulation equivalence collapses with trace equivalence. However, practical 
programming languages that have been developed on top of the model include data types 
beyond pure signals and this extension makes the computation non- deterministic unless 
significant restrictions are imposed. For instance, in the Reactive ML language we have 
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already quoted, signals carry values and the emission of two distinct values on the same 
signal may produce a non-deterministic behaviour. 

In the present work, we introduce a minimal extension of the tail recursive model where 
signals may carry first-order values including signal names. The linguistic complexity of 
the resulting language is comparable to the one of the 7r-calculus and we tentatively call 
it the S'vr-calculus (pronounced s — pi)^ Our contribution is to show that the notion 
of bisimulation equivalence introduced in [1] is sufficiently robust to be lifted from the 
deterministic language with pure signals to the non-deterministic language with data types 
and signal name generation. The main role in this story is played by a new notion of labelled 
bisimulation. We show that this notion has good congruence properties and that it can be 
characterised via a suitable notion of contextual bisimulation in the sense of [17] . The proof 
of the characterisation theorem turns out to be considerably more complex than in the pure 
case having to cope with phenomena such as non-determinism and name extrusion. 

While this approach to the semantics of concurrency has already been explored in the 
framework of asynchronous languages including, e.g., the vr-calculus [T71 [31 [IS], Prasad's 
calculus of broadcasting systems [291 HB] , and the ambient calculus [23] , this seems to be the 
first concrete application of the approach to a synchronous language. We expect that the 
resulting semantic theory for the SL model will have a positive fall-out on the development 
of various static analyses techniques to guarantee properties such as determinacy [21] . 
reactivity [1], and non-interference |22j . 

In the following, we assume familiarity with the technical development of the theory of 
bisimulation for the vr-calculus and some acquaintance with the synchronous languages of 
the ESTEREL family. 

2 The /Stt- calculus 

Programs P,Q, . . . in the Syr-calculus are defined as follows: 

P ::= II A{e) || se || s{x).P, K \ [s^ = SsjPi, P2 | > P2 | P | Pi | P2 
K ::= A{y) 

We use the notation m for a vector mi, . . . , m„, n > 0. The informal behaviour of programs 
follows. is the terminated thread. A{e) is a (tail) recursive call with a vector e of 
expressions as argument. The identifier A is defined by a unique equation A{x) = P with 
the usual condition that the variables free in P are contained in {x}. se evaluates the 
expression e and emits its value on the signal s. A value emitted on a signal persists 
within the instant and it is reset at the end of each instant. s{x).P,K is the present 
statement which is the fundamental operator of the SL model. If the values vi,...,Vn 
have been emitted on the signal s in the current instant then s{x).P,K evolves non- 
deterministically into [vi/x]P for some Vi ([-/-] is our notation for substitution). On the 

for synchronous as in SCCS [25] and SL [12]. Not to be confused with the so called 'synchronous' 
TT-calculus which would be more correctly described as the 7r-calculus with rendez-vous communication nor 
with the SPI-calculus where the S suggests a pervasive 'spy' controlling and corrupting all communications. 
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other hand, if no value is emitted then the continuation K is evaluated at the end of the 
instant, [si = S2]Pi,P2 is the usual matching function of the vr-calculus that runs Pi if 
si = S2 and P2, otherwise. Here both si and S2 are free, [u >p]Pi,P2, matches u against 
the pattern p. We assume u is either a variable a: or a value v and p has the shape c(p), 
where c is a constructor and p a vector of patterns. At run time, u is always a value and 
we run aPi if a is the result of matching u against p, and P2 otherwise. Note that as usual 
the variables occurring in the pattern p are bound, us P creates a new signal name s and 
runs P. (Pi I P2) runs in parallel Pi and P2. The continuation K is simply a recursive call 
whose arguments are either expressions or values associated with signals at the end of the 
instant in a sense that we explain belowj^ 

The definition of program relies on the following syntactic categories: 



Sig : 


■.= s\t\... 


(signal names) 


Var : 


:= Slg\x\y\z\■■■ 


(variables) 


Cnst : 


■.= * nil cons 1 c 1 d 1 ■ ■ ■ 


(constructors) 


Val : 


:= Szg 1 Cnst{Val, . . . , Val) 


(values V, v', . . .) 


Pat : 


:= Var \ Cnst{Pat, . . . , Pat) 


(patterns p,p', . . .) 


Exp : 


:= Pat 


(expressions e, e', . . .) 


Rexp : 


■.=\Sig Var Cnst{Rexp, . . . , Rexp) 


(exp. with dereferenciation r, r', . . .) 



As in the vr-calculus, signal names stand both for signal constants as generated by the 1/ 
operator and signal variables as in the formal parameter of the present operator. Variables 
Var include signal names as well as variables of other types. Constructors Cnst include *, 
nil, and cons. We will also write [vi, . . f„] for the list of values cons(fi, . . . , cons(w„, nil) . . .), 
ra > 0. Values Val are terms built out of constructors and signal names. Patterns Pat 
are terms built out of constructors and variables (including signal names). For the sake of 
simplicity, expressions Exp here happen to be the same as patterns but we could easily add 
first-order functional symbols defined by recursive equations. Finally, Rexp is composed 
of either expressions or the dereferenced value of a signal at the end of the instant. Intu- 
itively, the latter corresponds to the set of values emitted on the signal during the instant. 
If P,p are a program and a pattern then we denote with fn{P) , fn{p) the set of free signal 
names occurring in them, respectively. We also use FV{P), FV{p) to denote the set of 
free variables (including signal names). 

2.1 Typing 

Types include the basic type 1 inhabited by the constant * and, assuming t is a type, the 
type sigit) of signals carrying values of type t, and the type list(t) of lists of values of type t 
with constructors nil and cons. 1 and list{t) are examples of inductive types. More inductive 
types (booleans, numbers, trees,. . .) can be added along with more constructors. We 

^The reader may have noticed that we prefer the term program to the term process. By this choice, we 
want to stress that the parallel threads that compose a program arc tightly coupled and arc executed and 
observed as a whole. 
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assume that variables (including signals), constructor symbols, and thread identifiers come 
with their (first-order) types. For instance, a constructor c may have a type (^1,^2) t 
meaning that it waits two arguments of type ti and ^2 respectively and returns a value of 
type t. It is then straightforward to define when a program is well- typed and verify that 
this property is preserved by the following reduction semantics. We just notice that if a 
signal name s has type sig{t) then its dereferenced value \s should have type list{t). In the 
following, we will tacitly assume that we are handling well typed programs, expressions, 
substitutions,. . . 

2.2 Matching 

As already mentioned, the S'vr-calculus includes two distinct matching constructions: one 
operating over signal names works as in the vr-calculus and the other operating over values 
of inductive type actually computes a matching substitution match{v,p) which is defined 
as follows H 

^ 1^ y otherwise 

To appreciate the difference, assume s ^ s' and consider P = [s = s']Pi,P2 and P' = 
[[s] > [s']]Pi, P2. In the first case, P reduces to P2 while in the second case, P' reduces to 
[s/s']Pi. Indeed, in the first case s' is a constant while in the second case it is a bound 
variable. 

2.3 Informal reduction semantics 

Assume Vi ^ V2 are two distinct values and consider the following program in Sn: 

P = usi,S2{ s^vi I sTv2 I si{x). jsiiy). is2{z). A{x,y) ,B{\si) ) J)) J) ) 

If we forget about the underlined parts and we regard si, S2 as channel names then P could 
also be viewed as a vr-calculus process. In this case, P would reduce to 

Pi = usi,S2 {s2{z).A{a{x),a{y)) 

where a is a substitution such that a{x),cr{y) G {^1,^2} and cr(x) 7^ (^{y). In Sn, signals 
persist within the instant and P reduces to 

P2 = usi,S2 (sTvi I sTv2 I {s2{z).A{a{x),a{y)),B{\si))) 

where a{x),a{y) G {vi,V2}. 

One can easily formalise this behaviour by assuming a standard structural equivalence, 
by introducing the usual rules for matching and for unfolding recursive definitions (cf. rules 
=r^) =2*^5 — =2"'^, and rec in the following Tabled]), and by adding the rule: 

sv I s{x).P,K — s> I [v/x]P 

•^Without loss of expressive power, one could assume that in the second matching instruction the pattern 
p contains exactly one constructor symbol and that all the variables occurring in it are distinct. 
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What happens next? In the vr-calculus, Pi is deadlocked and no further computation 
is possible. In the S'vr-calculus, the fact that no further computation is possible in P2 
is detected and marks the end of the current instant. Then an additional computation 
represented by the relation 1— moves P2 to the following instant: 

P2 ^ P2' = i^si,S2 B{£) 

where i G {[fi;w2], [f2;^'i]}- Thus at the end of the instant, a dereferenced signal such as 
!si becomes a list of (distinct) values emitted on si during the instant and then all signals 
are reset. 

We will further comment on the relationships between the vr-calculus and the S'vr- 
calculus in section 12.61 once the formal definitions are in place. In the following section 
12.41 Table [U will formalise the reduction relation (in the special case where the transition 
is labelled with the action r) while Table [2] will describe the evaluation relation at the end 
of the instant. 

2.4 Transitions 

The behaviour of a program is specified by (i) a labelled transition system describing 
the possible interactions of the program during an instant and (ii) a transition system \—>- 
determining how a program evolves at the end of each instant. 

As usual, the behaviour is defined only for programs whose only free variables are 
signals. The labelled transition system is similar to the one of the polyadic vr-calculus 
modulo a different treatment of emission which we explain below. We define actions a as 
follows: 

a ::= T \ sv || z/t sv 

where in the emission action the signal names t are distinct, occur in v, and differ from s. 
The functions n (names), fn (free names), and bn (bound names) are defined on actions as 
usual: /n(r) = 0, fn{sv) = {s}Ufn{v), fn{ut sv) = ({s} U/n(f ))\{t}; 6n(r) = bn{sv) = 0, 
6n(i^t sv) = {t}; n{a) = fn{a) U bn{a). The related labelled transition system is defined in 
table [1] where rules apply only to programs whose only free variables are signal names and 
with standard conventions on the renaming of bound names. As usual, the symmetric rule 
for (par) and (synch) are omitted. The rules are those of the polyadic vr-calculus but for 
the following points. (1) In the rule (out), the emission is persistent. (2) In the rule [in), 
the continuation carries the memory that the environment has emitted 'sv. For example, 
this guarantees, that in the program s{x).{s{y).P, 0), 0, if the environment provides a value 
sv for the first input then that value persists and is available for the second input too. (3) 
The rules (=™'^) and (=2""^) handle the pattern matching. We write P ■ ior 3 P' P P'. 
We will also write P ^ P' for P{^)*P' and P ^ P' with a ^ t ioi P(^) (A)(^)P'. 

A program is suspended, i.e., it reaches the end of an instant, when the labelled tran- 
sition system cannot produce further (internal) r transitions. 

Definition 1 We write P I if ~'(P ■) and say that the program P is suspended. 
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p,^p[ bn{a)nHP,) = ^^^^^^^ pr'-^'Ti P2^Pi {t}n HP,) 



Pl\P2^Pi\P2 ' ' ' Pl\P2^ {P{ I P^) 

P^P' ti n{a) , , P P' t'^s t'e n{v)\{t} 



vtP^ut P' ^ ^t' P '^"''-^^^ P' 

Sl 7^ S2 



sig\ / sig 

~^ ' [S = s]Pu P2 ^ Pi ' [Si = S2]Pu P2 ^ P2 

match{v,p) = a ^^^^ match{v,p) =t 

^ [v>p]Pi,P2^(rPi ^ 2 ) [y>p]p^^p^l,p^ 

A(x) = P 

[rec] 



A{y) ^ [v/x]P 
Table 1: Labelled transition system during an instant 
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V occurs in V{s) s ^ domiV) 

Oi — >0 St" I — s> s{x).F,K\ — >V{K) 

P,^PI 1 = 1,2 P^P' V'{s)\\-E{s) V[[]/s] = V'[[]/s] 



(Pi I P2) ™' I P^) usP z/s P' 

P^P' v\\-E 
P^P' 



Table 2: Transition system at the end of the instant 

When the program P is suspended, an additional computation is carried on to move to 
the next instant. This computation is described by the transition system 1— s>. First of all, 
we have to compute the set of values emitted on every signal. To this end, we introduce 
some notation. 

Let E vary over functions from signal names to finite sets of values. Denote with the 
function that associates the empty set with every signal name, with [M/s] the function 
that associates the set M with the signal name s and the empty set with all the other 
signal names, and with U the union of functions defined pointwise. 

We represent a set of values as a list of the values contained in the set. More precisely, 
we write v \\—M and say that v represents M ii M = {vi, . . . , Vn} and v = [f,r(i); • • • ; i'7r(n)] 
for some permutation vr over {1, . . . ,n}. Suppose V is a function from signal names to 
lists of values. We write V^||— if V{s) \\—E{s) for every signal name s. We also write 
dom{V) for {s \ V{s) 7^ []}. If is a continuation, i.e., a recursive call ^(r), then 
V{K) is obtained from K by replacing each occurrence !s of a dereferenced signal with the 
associated value V{s). We denote with the function that behaves as V except on s 

where V[i/s]{s) =L 

To define the transition ^ at the end of the instant, we rely on an auxiliary judgement 

E V 

P P'. Intuitively, this judgement states that: (1) P is suspended, (2) P emits exactly 
the values specified by E, and (3) the behaviour of P in the following instant is P' and 
depends on V. The transition system presented in table [2] formalizes this intuition. For 
instance, one can show that: 

Z/Si (Si(x).O, A(!S2) I S^Vs) I is^V2 I SiVl) ^ lySi (A(V(S2)) I 0) I (0 I 0) 

where E = [{vi}/ si, {v2,V3}/ S2] and, e.g., V = [[vi]/si, [v3;v2]/s2]. 
2.5 Derived operators 

We introduce some derived operators and some abbreviations. The calculi with pure signals 
considered in [121 121 [I] can be recovered by assuming that all signals have type Sig{l). In 
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this case, we will simply write s for s* and s.P,K for s{x).P,K where x ^ FV{P). We 
denote with Q a looping process defined, e.g., hj Q = AO where A{) = A{). We abbreviate 
s{x).P,0 with s{x).P. We can derive an internal choice operator hj defining. 

Pi © P2 = i^s {s{x)[x > 0]Pi, P2 I sO I si) 

where, e.g., we set = [] and 1 = [*]. The pause operation suspends the execution till the 
end of the instant. It is defined by: 

pause. K = us s.O, K 

where: s ^ fn{K). We can also simulate an operator await s{x).P that waits for a value 
on a signal s for arbitrarily many instants by defining: 

await s{x).P = s{x).P, A{x.) 

where {x} = {s} U {FV{P)\{x}) and A{x) = s{x).P,A{x). 

It is also interesting to program a generalised matching operator [x = us v]xP that 
given a value x, checks whether x has the shape z/s v where the freshness of the signal 
names s is relative to a finite set X of signal names, i.e., no name in s belongs to X. If this 
is the case, we run P and otherwise we do nothing. Assuming, {s} C fn{v), fn{v)\{s} C X, 
{s} n X = 0, and X = whenever {s} = 0, there are three cases to consider: 

1. f = s is a signal name and s is empty. Then [x = s]xP is coded as [x = s]P, 0. 

2. f = s is a signal name and s = s. Then [x = us s]xP is coded as [x ^ X]P where if 
X = {si, . . . , Sn} then [x ^ X]P is coded as [x = si]0, (■ ■ ■ ,[x = s„]0, P ■ ■ ■). 

3. V = c{pi, . . . ,Pn)- Let {s'} = fn{v)\{s} be the set of signal names which are free in 
us V. We associate with the vector of signal names s' a vector of fresh signal names 
s". Let v" = [s"/s']v. Then [x = us v]xP is coded as: 

[x > v"][s" = s'][{s} n X = 0][s distinct]P 

where: (1) [s'{,...,s'^ = s[, . . . , s'^]Q is an abbreviation for [s'l = s[] . . . {[s'^^ = 
s'j^]Q,0) ... ,0, (2) [{s} n X = 0] is expressed by requiring that every signal name 
in {s} does not belong to X, and (3) [s distinct] is expressed by requiring that the 
signal names in s are pairwise different. For example, to express 

[X = USi, S2 C(si, 0(4, S2, Si), S3)]{4,4}P 

we write [x > c(si, 0(4, Sa, Si), 4)] [4 = 4][si ^ {4.4}][s2 ^ {4.4}][si ^ SajP. 
Note that the introduction of the auxiliary signal names s" is required because in the 
pattern considered the signal names are interpreted as variables and not as constants. 
Also, note that the names Si, S2, and S3 are bound in P. 
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2.6 Comparison with the 7r-calculus 

In order to make a comparison easier, the syntax of the S'Tr-calculus is similar to the one 
of the TT-calculus. However there are some important semantic differences to keep in mind. 

Deadlock vs. End of instant. What happens when all threads are either terminated or 
waiting for an event that cannot occur? In the vr-calculus, the computation stops. In the 
S'Tr-calculus (and more generally, in the SL model), this situation is detected and marks 
the end of the current instant. Then suspended threads are reinitialised, signals are reset, 
and the computation moves to the following instant. 

Channels vs. Signals. In the vr-calculus, a message is consumed by its recipient. In the 
S'Tr-calculus, a value emitted along the signal persists within an instant and it is reset at 
the end of it. We note that in the semantics the only relevant information is whether a 
given value was emitted or not, e.g., we do not distinguish the situation where the same 
value is emitted once or twice within an instant. 

Data types. The (polyadic) Tr-calculus has tuples as basic data type, while the S'Tr-calculus 
has lists. The reason for including lists rather than tuples in the basic calculus is that at 
the end of the instant we transform a set of values into a suitable data structure (in our 
case a list) that represents the set and that can be processed as a whole in the following 
instant. Note in particular, that the list associated with a signal is empty if and only if no 
value was emitted on the signal during the instant. This allows to detect the absence of a 
signal at the end of the instant. 

Determinism vs. Non-determinism. In the S'Tr-calculus there are two sources of non- 
determinism. (1) Several values emitted on the same signal compete to be received during 
the instant, e.g., sO | si | s{x).P may evolve into either sO | si | [0/x]P or sO | si | [l/x]P. 
(2) At the end of the instant, values emitted on a signal are collected in an order that 
cannot be predicted, e.g., us',s" (ss' | ss" | pause. A{\ s, s' , s")) may evolve into either 
74([s'; s"], s', s") or A([s"; s'], s', s"). Accordingly, one may consider two restrictions to make 
the computation deterministic, (i) If a signal can be read during an instant then at most 
one value can be emitted on that signal during an instant]^ (ii) If a signal can only be read 
at the end of the instant then the processing of the associated list of values is independent 
of its order 

2.7 Comparison with CBS and the timed 7r-calculus 

In the calculus of broadcasting systems (CBS, [29]), threads interact through a unique 
broadcast channel. The execution mechanism guarantees that at each step one process 
sends a message while all the other processes either receive the message or ignore it. There 

''For instance, the calculus with pure signals satisfies this condition. 

^In the languages of the Esterel family, sometimes one makes the hypothesis that the values collected 
at the end of the instant are combined by means of an associative and commutative function. While 
this works in certain cases, it seems hard to conceive such a function when manipulating objects such as 
pointers. It seems that a general notion of deterministic program should be built upon a suitable notion 
of program equivalence such as the one wc develop here. 
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is a similarity between the emission of a value on a signal and the broadcast of a value in 
the sense that in both cases the value can be received an arbitrary number of times. On 
the other hand, it appears that the CBS model does not offer a direct representation of the 
notion of instant. 

Berger's timed vr-calculus [7] includes a primitive timer* x{y).P,Q which means: wait 
for a message on x for at most t time units and if it does not come then do Q. While there 
is a syntactic similarity with the present statement of the SL model, we remark that the 
notion of time unit is very different from the notion of instant in the SL model. In the SL 
model, an instant lasts exactly the time needed for every process to accomplish the tasks 
it has scheduled for the current instant. In the timed model, a time unit lasts exactly one 
reduction step. As a matter of fact, the notion of 'reduction step' is based on a rather 
arbitrary definition and it fails to be a robust programming concept. 

3 Labelled bisimulation and its characterisation 

We introduce a new notion of labelled bisimulation, a related notion of contextual bisim- 
ulation and state our main result: the two bisimulations coincide. 

Definition 2 We write: 



P 4-L if^o;i,Pi---,ctn,Pn { P Pi ' ' ' Pn, n>Q, and Pn i ) (L-suspension) 

Obviously, P I implies P -l| which in turn implies P JJ-l and we will see that these 
implications cannot be reversed. The L-suspension predicate (L for labelled) plays an 
important role in the definition of labelled bisimulation which is the central concept of this 
paper. 

Definition 3 (labelled bisimulation) A symmetric relation TZ on programs is a labelled 
bisimulation if whenever P TZ Q the following holds: 



(LI) IfP^P' then 3Q' {Q ^ Q' and P' 7^ Q') . 

(L2) // P ""^-J" P', P U, {t} n fn{Q) = then 3 Q' {Q '^W Q' and P' 7^ Q') . 

(L3) IfP^P' then 3Q' {{ Q ^ Q' and P' TZ Q') or { Q ^ Q' and P' 7^ {Q' \ sv) ) ). 

(L4) IfS = Jivi I ■ ■ ■ I j;ivn, n>0,P' = {P\S) [, and P' ^ P" then 
3 Q\ Q" {{Q\S)^ g', Q' i, P' TZ Q' , Q' ^ Q'\ and P" TZQ"). 



We denote with ~l the largest labelled bisimulation. 

In reactive synchronous programming, a program is usually supposed to read 'input' 
signals at the beginning of each instant and to react delivering 'output' signals at the end 
of each instant. In particular, a program that does not reach a suspension point cannot 
produce an observable output signal. For instance, if we run s | Vt then the emission on 




(weak suspension) 
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the signal s should not be observable because the program never suspends. Following this 
intuition, we comment on the conditions (LI — 4). 

(LI) This condition is standard in the framework of a hisimulation semantics. As in the 
asynchronous case, it exposes the branching structure of a system to the extent that it 
distinguishes, e.g., the program (si © S2) © S3 from the program si © (s2 © S3). We will 
comment on alternative approaches at the end of this section. 

(L2) According to the intuition sketched above, the condition (L2) requires that an output 
of a program P is observable only if P J|/^, i.e., only if P may potentially reach a suspension 
point (remember that in Sir an output persists within an instant). The reasons for choosing 
the L-suspension predicate rather than, e.g., the weak suspension predicate will be clarified 
in section H] and have to do with the fact that L-suspension has better properties with 
respect to parallel composition. We also anticipate that in the premise of condition (L2), 
it is equivalent to require P or P' JJ-l (cf. remark [T9l) and that in the conclusion the 
property Q' can be derived (cf. proposition [11]). Last but not least, we should stress 
that in practice we are interested in programs that react at each instant and for this reason, 
programs that do not satisfy the L-suspension predicate are usually rejected by means of 
static analyses. In this relevant case, the condition (L2) is the usual output condition of 
the TT-calculus. 

(L3) The reception of a signal is not directly observable just as the reception of a message 
in the 7r-calculus with asynchronous communication. For instance, there is no reason to 
distinguish s.O, from 0. Techniques for handling this situation have already been devel- 
oped in the framework of the vr-calculus with asynchronous communication and amount to 
modify the input clause as in condition (L3) (see [3]). It is a pleasant surprise that this 
idea can be transposed to the current context. 

(L4) The condition (L4) corresponds to the end of the instant and of course it does not 
arise in the vr-calculus. The end of the instant is an observable event since, as we explained 
above, it is at the end of the instant that we get the results of the program for the current 
instant. Let us explain the role of the context S = s^i'i | ■ ■ ■ | 's^Vn in this condition. 
Consider the programs: 

P = si.O, A{\s2) Q = si.O, A{[]) A{1) = [I > []]0, si 

Then P I, Q [, P ^(D)) Q ^ ^(D)- However, if we plug P and Q in the context 
[■] I S2 then the resulting programs exhibit different behaviours. In other terms, when 
comparing two suspended programs we should also consider the effect that emitted values 
may have on the computation performed at the end of the instant. We stress that the 
context S must preserve the suspension of the program, therefore the emissions in 5* are 
only relevant if they correspond to a signal s which is dereferenced at the end of the instant. 
In particular, the number of contexts S to be considered in rule (L4) is finite whenever the 
number of distinct values that can be emitted on dereferenced signals is finite (possibly up 
to injective renaming). 
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Admittedly, the definition of labelled bisimulation is technical and following previous 
work [TTJ [3l [15], we seek its justification through suitable notions of barbed and contextual 
bisimulation. 

Definition 4 (commitment) We write P \ s if P ■ and say that P commits to 
emit on s. 

Definition 5 (barbed bisimulation) A symmetric relation TZ on programs is a barbed 
bisimulation if whenever P TZ Q the following holds: 

(Bl) IfP^P' then3Q' Q ^ Q' and P' TZ Q' . 

{B2) IfP\sandP then 3Q' {Q ^ Q', Q' \ s, and PTZQ'). 

(33) IfPiandP^ P" then 3 Q', Q" {Q ^ Q', Q' [.PTZ Q', Q' ^ Q", and P" TZ Q") . 

We denote with the largest barbed bisimulation. 

We claim that this is a 'natural' definition. Condition (Bl) corresponds to the usual 
treatment of r moves. Condition {B2) corresponds to the observation of the output com- 
mitments in the vr-calculus with asynchronous communication modulo the L-suspension 
predicate whose role has already been discussed in presenting the condition {L2). We will 
see that the L-suspension predicate J|l can be defined just in terms of internal reduction 
(remark [TU]) . As in condition {L2), the condition Q' ij^i is a consequence of the definition 
(cf. proposition [2^ 2)). Finally, condition (-B3) corresponds to the observation of the end 
of the instant and it is a special case of condition (L4) where the context S is empty. 

Definition 6 A static context C is defined as follows: 

C ■.■.= []\C \P\us C (1) 

A reasonable notion of program equivalence should be preserved by the static contexts, 
i.e., by parallel composition and name generation. We define accordingly a notion of 
contextual bisimulation (cf. pTj fT5]). 

Definition 7 (contextual bisimulation) A symmetric relation TZ on programs is a con- 
textual bisimulation if it is a barbed bisimulation (conditions {Bl—3)) and moreover when- 
ever P TZ Q then 

(CI) C[P]TZ C[Q], for any static context C . 

We denote with the largest contextual barbed bisimulation. 

Our main result shows that labelled and contextual bisimulation collapse. In particular, 
this implies that labelled bisimulation is preserved by the contexts C. The proof will be 
developed in the following sections. 

Theorem 8 Let P, Q be programs. Then P Q if and only if P Q- 
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We claim that our approach to the semantics of the S'vr-calculus is rather natural and 
mathematically robust, however we cannot claim that it is more canonical than, say, the 
weak, early hisimulation semantics of the vr-calculus. We have chosen to explore a path 
following our mathematical taste, however, as in the 7r-calculus, other paths could be ex- 
plored. In this respect, we will just mention three directions. First, one could remark that 
condition (Bl) in definition [5] allows to observe the branching structure of a program and 
argue that only suspended programs should be observed. This would lead us towards a 
failure semantics/testing scenario [ISl [9] (in the testing semantics, a program that cannot 
perform internal reductions is called stable and this is similar to a suspended program in 
the synchronous context). Second, one could require that program equivalence is preserved 
by all contexts and not just the static ones and proceed to adapt, say, the concept of open 
hisimulation [31] to the present language. Third, one could plead for reduction congruence 
[27] rather than for contextual bisimulation and then try to see whether the two con- 
cepts coincide following [13] . We refer to the literature for standard arguments concerning 
bisimulation vs. testing semantics {e.g., [2S]), early vs. open bisimulation {e.g., [SI]), and 
contextual vs. reduction bisimulation {e.g., [T5]). 



4 Understanding L-suspension 

In this section, we study the properties of the L-suspension predicate and justify its use in 
the definition of labelled bisimulation. 

Proposition 9 (characterisations of L-suspension) Let P he a program. The follow- 
ing are equivalent: 

(1) PU- 

(2) There is a program Q such that {P \ Q) 

(3) There is a static context C (cf. definition\D\) such that C[P] -Ij-L- 

Proof. (1^2) Suppose Pq^ P^ - - -^ Pn and Pn [■ We build Q by induction on n. If 
= we can take (5 = 0. Otherwise, suppose n > 0. By inductive hypothesis, there is Qi 
such that (Pi I Qi) J|. We proceed by case analysis on the first action ai. 

(tti = r) Then we can take Q = Qi and (Pq | Q) (Pi \ Qi). 

{ai = sv) Let Q = {Qi \ sv). We have (Pq | Q) —> (Pi | Qi \ sv). Since Pi ^ Pi, we 
observe that (Pi | Qi) JJ- implies (Pi | Qi \ sv) Jj.. 

(ai = z/t sv) We distinguish three subcases. 

1. If ai = st then define Q = s{t).Qi and observe that (Pq | Q) (Pi | Qi). 

2. If ai = ft st then define again Q = s{t).Qi and observe that (i) (Pq \ Q) ^ ut (Pi | 
Qi) and (ii) (Pi | Qi) ^ implies i^t (Pi | Qi) ^. 
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3. If ai = ut sc(v) then let {t'} = /n(c(v))\{t} and t" a tuple of fresh names (one for 
each name in t'). We define Q = s{x).[x > [t'7t']c(v)]Qi, where x,t" ^ FV{Qi) 
and observe that: (i) (Pq \ Q) ^ i^t (Pi | Qi) and (ii) (Pi | Qi) -l| implies ut (Pi | 

Qi) J|. For instance, if Pq '^^ ^ then we take Q = s{x).[x > c(t,t")]Qi,0 with 
x,t"^FV{Qi). 

(2 3) Take C = [ ] | Q and note that by definition (P | Q) 4 implies (P | Q) 

(3 =^ 1) First, check by induction on a static context C that P ■ implies C[P] ■. 
Hence, C[P] | implies P |. Second, show that C[P] Q implies that Q = C'[P'] and 

either P = P' or P ^ P'. Third, suppose C[P] Qi ■ ■ ■ Qn with Qn i- Show by 
induction on n that P JJ-i,. □ 

Remark 10 The second characterisation, shows that the L-suspension predicate can be 
defined just in terms of the internal (r) transitions and the suspension predicate. Thus it 
does not depend on the choice of observing certain labels. 

Proposition 11 (L-suspension and labelled equivalence) (1) If ^P ij-^ and ij-^ 

then P Q- 

(2) IfP^iQ and P then Q ij-i- 

Proof. (1) First we note that -iP ij^^ and P P' implies -iP' ij-^. Second, we check 
that R = {{P, Q) \ -iP and -^Q Jj-j^} is a labelled bisimulation. 

(LI) If P ^ P' then ^P' U- Then Q 4> Q and P' 7^ Q. 

(L2) The condition holds since -iP JJ-l. 

(L3) If P ^ P' then -iP' Then Q ^ Q and by proposition [9l -^Q implies 
-^{Q I sv) J|l. 

(L4) The condition holds since -i(P | 5") |. Indeed if (P | S") | then (P | S") J|l and by 
proposition [9l P J^l which contradicts the hypothesis. 

(2) Suppose Pq ~L Qo and Pq We proceed by induction on the length n of the shortest 
sequence of transitions to a suspended program: ^ . . . ^ and P„ i. If n = then 
by (L4), Qo ^ Q' and Q' J,. Thus Qo JJ-l- If ?^ > then we analyse the first action ai. 
(ai = r) By (LI), Qo ^ Qi and Pi ~l Qi- By inductive hypothesis Qi ij-L and therefore 
Qo JJ-L- 

(ai = i^t sv) By (L2), since Pq JJ-l? we have Qo ''=^'' Qi and Pi Qi. By inductive 
hypothesis, Qi J|l. Thus Qo 

(ai = sv) According to (L3) we have two subcases. If Qo ^ Qi and Pi ~l Qi then 
we reason as in the previous case. If Qo ^ Qi and Pi ~l (Qi | sv) then by inductive 
hypothesis (Qi | sv) Jj-^. By proposition [9l if (Qi | sv) then Qi J|l. Thus Qo JJ-l- ^ 
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Thus labelled bisimulation equates all programs which cannot L-suspend and moreover 
it never equates a program which L-suspends to one which cannot. In this sense, L- 
suspension is reminiscent of the notion of solvability in the A-calculus [6l p. 41]. In spite 
of these nice properties, one may wonder whether the L-suspension predicate could be 
replaced by the suspension or weak suspension predicate. 

Definition 12 We denote with ~^ (^^) the notion of labelled bisimulation obtained by 
replacing in (L2) the condition P Jj-L ""^^^^ the condition P | (P i}.). Similarly, we de- 
note with ^c) the notions of barbed and contextual bisimulations obtained by 
replacing in {B2) the condition P with the condition P | (P 

Proposition 13 (comparing bisimulations) (1) The following inclusions hold: 

(2) The barbed bisimulations and the labelled bisimulations ~^ and k)--^ are not preserved 
by parallel composition. 

Proof. (1) The non-strict inclusions follow from the remark that P \ implies P 4 which 
implies P J|l. We provide examples for the 4 strict inclusions. 

• Consider P = (si | (s2 © S3)) and Q = (si | S2) © (si | S3). Note that P, Q JJ- but ^P, Q j 
and that to reach a suspension point, P and Q have to resolve their internal choices. Now 
we have P Q (and therefore P Q) but P Q (and therefore P f^j^ Q). To see the 
latter, observe that P \ si and that to match this commitment Q must choose between 
S2 and S3. 

• Let {t,t') abbreviate [t; t'] and s — > 0, f2 abbreviate s{x).[x > 0]0,f2. Consider: 

Pi = Ut, t' (S(t, t') I (t.Si © t.S2) I Q) 

P2 = iyt,t' (((s(M') I (t.si)) © (s(t,t') I (t.S2))) I Q) 

g =t'->o,fi|t'i 

Note that Pi, P2 JJ-l but -iPi, P2 -IJ-. The point is that the program Q loops unless the name 
t' is extruded to the environment and the latter provides a value on the signal t'. Then 
Pi ~^ P2. However, Pi P2- To see this, notice that Pi \ s and that to match this 
commitment, P2 has to resolve first the internal choice between si and S2. A variant of 

this example where we remove the input prefix t._ before the emissions Sj, z = 1, 2, shows 

A 



that ^5 is strictly included in 



(2) It is well known that barbed bisimulation is not preserved by parallel composition. 
For instance, s.si ^b s.S2, but (s.si | s) ^b (s.S2 | s) if si 7^ S2. To show that and ^\ 
are not preserved by parallel composition consider again the programs Pi and P2 above in 
parallel with: 

R= s{t,t').{{t I FO) © (t I FO I S3)) 
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where s{t,t').P abbreviates s{x).[x > [t;t']]P,0. Remark that 

(Pi I R) ^ ut, t' {s{t, t') I {t.-si ® t.S2) \Q\t\fO) = P{ 

To match this move, suppose (P2 | R) ^ ^2- Now must be able to suspend while losing 
the possibility of committing on S3. Hence, there must be a synchronisation on s between 
P2 and R. In turn, this synchronisation forces P2 to choose between si and S2- Suppose, 
e.g., (P2 I R) chooses si, then in a following move P/ chooses S2 and becomes: 

Ut,t' is{t,t') I S2 I I t I FO I Fl) 
which is suspended and commits on S2. The program P2 cannot match this move. □ 

Note that in (1) the inclusions for the barbed and labelled bisimulations are strict. On 
the other hand, we do not know whether the inclusions of the contextual bisimulations 
are strict. However, by (2) we do know that the notions of labelled bisimulation where L- 
suspension is replaced by (weak) suspension are not preserved by parallel composition and 
therefore cannot characterise the weaker notions of contextual bisimulation. The conclusion 
we draw from this analysis is that ~l is the good notion of labelled bisimulation among 
those considered. 

5 Strong labelled bisimulation and an up-to technique 

It is technically convenient to introduce a strong notion of labelled bisimulation which is 
used to bootstrap the reasoning about the weaker notion we are aiming at. 

Definition 14 (strong labelled bisimulation) A symmetric relation TZ on programs is 
a strong labelled bisimulation if whenever P TZ Q the following holds: 

{SI) P ^P' and bn{a) n fn{Q) = implies 3 Q' (Q A Q' and P' TZ Q') . 

{S2) (P I 5) i with S = {s^vi I ■ ■ ■ I s;;n„), n > and {P \ S) ^ P' implies {P \ S) TZ {Q \ 
S) and 3Q' (Q ^ Q' and P' TZ Q') . 

We denote with =l the largest strong labelled bisimulation. 
Proposition 15 If P =l Q then P Q. 

Proof. We check that =l is a labelled bisimulation. Conditions (LI — 3) follow from con- 
dition (51). Condition (L4) follows from condition (S'2) noticing that {P \ S) =l {Q \ S) 
and (P I 5) i implies by (SI) that (Q \ S) □ 

When comparing strong labelled bisimulation with labelled bisimulation it should be 
noticed that in the former not only we forbid weak internal moves but we also drop the 
convergence condition in (L2) and the possibility of matching an input with an internal 
transition in {L3). For this reason, we adopt the notation =l rather than the usual 



18 



Definition 16 We say that a relation IZ is a strong labelled hisimulation up to strong 
labelled hisimulation if the conditions {SI — 2) hold when we replace TZ with the larger 
relation (=i) o 7?. o (=^). 

The following proposition summarizes some useful properties of strong labelled hisim- 
ulation. In the present context, an injective renaming is an injective function mapping 
signal names to signal names. 

Proposition 17 (properties of =l) (1) If P =l Q and a is an injective renaming then 
aP =L (tQ. 

(2) =L is a reflexive and transitive relation. 

(3) The following laws hold: 

(P I 0) =L P, Pi I (P2 I Ps) =L {Pi I P2) I P3, {Pi I P2) =L {P2 I Pi), 

USi, S2 P =L Si P US Pi \ P2 =L US (Pi | P2) if s ^ /n(P2). 

(4) IfP=LQ then (P | S) =l {Q \ S) where 5 = (Pi | ■ ■ ■ | P„) and P^ = or Pi = T^Vi, 
for i = 1, . . . ,n, n > 0. 

Proof hint. Most properties follow by routine verifications. We just highlight some 
points. 

(2) Recalling that P =l Q and P J. implies Q |. 

(3) Introduce a notion of normalised program where parallel composition associates to the 
left, all restrictions are carried at top level, and programs are the identity for parallel 
composition. Then define a relation TZ where two programs are related if their normalised 
forms are identical up to bijective permutations of the restricted names and the parallel 
components. A pair of programs equated by the laws under consideration is in TZ. Show 
that TZ is a strong labelled hisimulation. 

(4) Show that {(P \ S,Q \ S) \ P =l Q} is a strong labelled hisimulation where S is 
defined as in the statement. □ 

The following proposition summarizes the properties of the output transition. 

Proposition 18 (emission) (1) If P P' then P =l vt {sv \ P") and P' =l {sv \ 
P"). 

(2) IfP ''^-4'" P' then P if and only if P' ^l- 

Proof. (1) In deriving P P' one can only rely on the rules {out , par u , u f,^) . We 
use the laws of strong labelled hisimulation (proposition [171 2)) to put the program in the 
desired form. 

(2) By definition, P' jLi implies P jli- In the other direction, relying on (1), assume 
that the program has the shape vt {sv \ P). We also know that this program L-suspends. 
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By proposition [9l there is a program Q such ut (sv \ P) \ Q i}-. That is, assuming 
{t} r\fn{Q) = 0, we have that ut {sv \ P \ Q) i}^. The latter imphes that there is a Q' such 
that (sv \ P \ Q) ^ Q' and Q' |. Again, by proposition [9l this means that (sv \ P) IL^. □ 

Remark 19 By proposition \W(2), in condition (L2) of definition it is equivalent to 
require P ij-L or P' ij-^. 

Our main apphcation of strong labelled bisimulation is in the context of a rather stan- 
dard 'up to technique'. 

Definition 20 A relation IZ is a labelled bisimulation up to =l if the conditions (LI — 4) 
are satisfied when we replace the relation TZ with the (larger) relation (=l) o 7?. o (=l)- 

Proposition 21 (up-to technique) Let TZ be a labelled bisimulation up to =l. Then: 

(1) The relation (=l) olZo (=l) is a labelled bisimulation. 

(2) IfPTZQ thenP^LQ. 

Proof. (1) A direct diagram chasing using proposition [T71 

(2) Follows directly from (1). □ 

6 Congruence properties of labelled bisimulation 

We are now ready to study the congruence properties of labelled bisimulation. The most 
important part of the proof concerns the preservation under parallel composition and name 
generation and it is composed of 12 cases. 

Proposition 22 (1) If Pi ~l P2 o-nd a is an injective renaming then aPi ~l (tP2- 

(2) //Pi P2 then (Pi I ^v) (P2 I sv). 

(3) The relation is reflexive and transitive. 

(4) If Pi P2 then us Pi vs P2 and (Pi \ Q) (P2 \ Q)- 

Proof. (1) By propositions [TTT l) andfTSl 

(2) We show that the relation TZ =~l U{( Pi | st>, P2 \ ^v ) \ Pi P2} is a labelled 
bisimulation up to =l. We assume Pi P2 and we analyse the conditions (LI — 4). 

(LI) Suppose (Pi I sv) (P{ I sv). If the action r is performed by Pi then the hypothesis 
and condition (LI) allow to conclude. Otherwise, suppose Pi — > P[. Then we apply the 
hypothesis and condition (L3). Two cases may arise: (1) If P2 =^ P2 and P/ ~l Pg then 
the conclusion is immediate. (2) If P2 =5> Pj and P{ ~l (Pg | sv) then we note that 
(P2 I sv) =L (P2 I sv) I sv and we close the diagram up to =l. 
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(L2) Suppose (Pi I sv) and (Pi | sv) -4" (P/ | sv). If the emission action is performed 
by sv then the conclusion is immediate. Otherwise, note that Pi JJ-^. Hence by {L2), 

P2 =^ P^ and Pi' Ps- But then (P2 | sv) =4 (P^ | si;) and we can conclude. 

(L3) Suppose (Pi I sf) ^ (P/ | st"). Necessarily, Pi ^ P{. By (L3), two cases may arise. 

If P2 =^ P2 and Pi' ~L P2 then the conclusion is direct. On the other hand, if P2 ^ P2 
and P{ ~L (P2 I s'v') then we note that 

(Pi' I sv) 7^ ((P2 I I sv) =L ((P2 I sv) I 

and we close the diagram up to =l. 

(L4) Let 5* = sTf 1 | ■ ■ ■ | s^Vn- Suppose (Pi | sf | 5") | and (Pi | st" | S") 1— P[. By 
(L4) applied to {sv \ S), we derive that (P2 | sf | S") ^ (P2" | sv \ S), (Pg' \ sv \ S) |, 
(Pi \sv\S) {P2 I I S), (P^' I s?; I ^) ^ P^, and Pi' Pa- 

(3) It is easily checked that the identity relation is a labelled bisimulation. Reflexivity fol- 
lows. As for transitivity, we check that the relation R =~l o is a labelled bisimulation 
up to =L. Suppose Pi P2 ~L Ps- 

(LI) Standard argument. 

(L2) Suppose Pi JJ-L and Pi P[. Note that by (1) we can assume that the names t are 
not in P2. By (L2), P2 P^ and P[ Pg- By proposition [I8];2), Pi U implies Pi' ij-i- 
By proposition [TT](2) . P[ ij-^ and P[ ~l P2 implies P2 We conclude by applying (LI) 
and (L2) to P2 and P3. 

(L3) Suppose Pi ^ P{. Two interesting cases arise when either P2 or P3 match an 
input action with an internal transition. (1) Suppose first P2 ^ P2 and Pi ~l {P2 I ^"^O- 
By P2 ~L P3 and repeated application of (LI) we derive that P3 ^ P3 and P^ P3. 
By property (2), the latter implies that (Pg | sv) (-P3 I sv) and we combine with 
Pi (P^ I sv) to conclude. (2) Next suppose P2 ^ Pa^ ^ P| ^ P^ and Pi 
Suppose that P3 matches these transitions as follows: P3 ^ P^ ^ P^, P2 ~l {Pi I sv), 
and moreover {P^ \ sv) ^ (P3 | sv) with P2 ~l (P3 | sv). Two subcases may arise: (i) 
P3 ^ -^s- Then we have P3 4> P3, P2 ~l (P3 | sv) and we can conclude, (ii) P3^ ^ P3. 
Then we have P3 =4 P3 and Pg ~l (P3 | st') =1 P^. Note that Pg^ does not need to perform 
the action sv more than once. 

(L4) Let S = s^vi \ ■■■ \ T^lv^. Suppose (Pi | S) [ and (Pi | S) ^ P[. By (L4), 
(P2 I S) ^ {P!l I S), (P^' I S) i, (Pi I S) (P^' I S), {P!l I 5) ^ P^, and A' ^z. P^. 
By (LI), (P3 I S) ^ (P^' I 5) and (P^" | 5) (P^' | ^). By (L4), (P^' | ^) ^ (Pf | S), 
(P^" I 5) i, (P^' I S) {P3" I S), (Pf I 5) ^ P^, P^ P^ and we can conclude. 

(4) We show that 7^ = {{ut (Pi | Q),ut (P2 | Q)) \ Pi ^^^l P2}U is a labelled 
bisimulation up to =l. 

(LI) Suppose z/t (Pi I Q) ^ ■. This may happen because either Pi or Q perform a r action 
or because Pi and Q synchronise. We consider the various situations that may occur. 
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(Ll)[l] Suppose Q ^ Q'. Then ut (P2 \ Q) ^ i^t (P2 | Q') and we can conclude. 

(LI) [2] Suppose Pi ^ Pi. By (L2) P2 ^ P^ and P;( ^2- Then ut (P2 | Q) ^ z/t (P2' | 

Q) and we can conclude. 

(LI) [3] Suppose Pi ^ Pi' and Q '^^-J" Q\ According to (L3), we have two subcases. 
(LI) [3.1] Suppose P2 ^ P^ and P{ P^. Then i^t (P2 | Q) ^ ut,t' (P^ | Q') and we can 
conclude. 

(LI) [3.2] Suppose P2 ^ P^ and P{ (P^ | sv). By proposition [I8](2), Q =l ut' Q' and 
Q' =i {Q" I Si;) for some Q" . Then z/t (P2 | Q) ^ i/t (P^ | Q) =l i/t,t' (P^ | su) | Q" and 
we can conclude up to =l. 

(LI) [4] Suppose Pi and Q ^ Q' . We have two subcases. 

(LI) [4.1] Suppose ^Pi ^L. By propositions [9] and [IH -^ut (Pi | Q) ^l, ^P2 ^l, -^ut (P2 | 
Q) ^L, ^A' 4l> and ^ut,t' {P[ \ Q') Hence, ut,t' {P[ \ Q') (P2 | Q) and we can 

conclude. 

(LI) [4.2] Suppose Pi 4l. By (L2), P2 P^ and P[ P^- Hence i^t (P2 | Q) ^ 

ut,t' (P2 I Q') and we can conclude. 

(L2) Suppose ut (Pi | Q) '^^-J'" . and ut (Pi | Q) JJ-l. Also assume t = ti, t2 and t' = ti, t^ 
up to reordering so that the emission extrudes exactly the names ti among the names in 
t. We have two subcases depending which component performs the action. 

(L2)[l] Suppose Q ^ Q'. Then ut (P2 | Q) ut^ (P2 | Q') and we can conclude. 

(L2)[2] Suppose Pi "^^^^ p^. By proposition [9l we know that Pi Hence P2 "^i^"" p^ 

and P[ Pi- Then ut (P2 | Q) " z/ta (P^ | Q) and we can conclude. 

(L3) Suppose ut (Pi \ Q) ^ ■ We have two subcases depending which component performs 
the action. 

(L3)[l] Suppose Q ^ Q' . Then ut (P2 \ Q) ^ ut (P2 | Q') and we can conclude. 

(L3)[2] Suppose Pi ^ P[. According to (L3) we have two subcases. 

(L3)[2.1] Suppose P2 ^ P^ and P[ ^'2- Then ut (P2 \ Q) ^ ut (P^ | Q) and we can 
conclude. 

(L3)[2.2] Suppose P2 ^ P^ and P[ {P2 I sw). Then ut (P2 \ Q) ^ ut (P^ | Q) and 
since z/t (Pg \ Q) \ =l ut ((Pg | 'sv) \ Q) we can conclude up to =l. 

(L4) Suppose S = JiVi | ■ ■ ■ | 's^Vn and ut (Pi | Q) \ SI. Up to strong labelled 
bisimulation, we can express Q as utg {Sq \ Iq) where Sq is the parallel composition of 
emissions and Iq is the parallel composition of receptions. Thus we have: ut (Pi | Q) \ 
S =L z/t,tQ (Pi \ Sq \ Iq \ S), and ut (P2 \ Q) \ S =l z/t,tQ (P2 \ Sq \ Iq \ S) assuming 
{t} n fn{S) = and {tg} n fn{Pi | 5) = for z = 1, 2. 

If ut (Pi \ Q) \ S ^ P then P =l ^t,tQ {P[' \ Q') where in particular, we have that 
(Pi I 5q I 5) i and (Pi I 5q I 5) (Pi' I I 0). 
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By the hypothesis Pi P2 and (L4) we derive that: (i) (P2 | 5q | 5) 4> {P^' | | 
(ii) (P^' I Sq I S) i, (iii) (P^' I Sq I ^) ^ (P^ I I 0), (iv) (Pi I 5q I S) {P^ I 5q I S), 
and (v) (Pi' I I 0) (P^ I I 0). 

Because (Pi | | 5") and (Pg' | | S*) are suspended and labelled bisimilar, the 
two programs must commit (cf. definition Hj) on the same signal names and moreover 
on each signal name they must emit the same set of values up to renaming of bound 
names. It follows that the program vt.tq (Pg' \ Sq \ Iq \ S) is suspended. The only 
possibility for an internal transition is that an emission in P2 enables a reception in Iq 
but this contradicts the hypothesis that ft.tq (Pi \ Sq \ Iq \ S) is suspended. Moreover, 
(P^' I Sq I Iq I S) ^ (P^ I I Q' I 0). 

Therefore, we have that 

Ut (P2 \Q)\S=L vt,tQ (P2 \Sq\Iq\S)^ vt.tQ [P'i \Sq\Iq\ S), 

z/t,tQ {Pll \Sq\Iq\S) i, and z/t,tQ (P^' \Sq\Iq\S)^ vt.tq (P^ | | | 0). Now 
vt.tQ (Pi \Sq\Iq\S)TI vt.tQ (P2" \Sq\Iq\S) because (Pi \Sq\S) {P2 \ Sq \ S) 
and i/t, tg (P{ I Q') 7^ i/t, tg (P^ | Q') because P/ P^. □ 

We can now derive the first half of the proof of theorem [HI 

Corollary 23 Let P, Q he programs. Then P ~l Q implies P Q- 

Proof. Labelled bisimulation is a barbed bisimulation and by proposition [22] it is pre- 
served by the contexts C. Hence it is a contextual bisimulation. □ 

7 Building discriminating contexts 

To complete the proof of theorem [8], it remains to show that our contexts are sufficiently 
strong to make all distinctions labelled bisimulation does. First we note the analogous of 
proposition [TT] for contextual bisimulation. 

Proposition 24 (1) If ^P |Il and -^Q J|l then P Q- 
(2) IfP^cQ and P U then Q 

Proof. (1) By proposition [H], P Q and by corollary [23l P Q- 

(2) By proposition [HI there is a program R such that (P | R) ij-, i.e., (P | P) ^ Pi and 
Pi i. By (CI), (P I R) {Q I R). By (PI), {Q \ R) ^ Q[ and Pi Q'v By (P3), 
Qi ^ Qi and Qi |. Thus (Q | P) JJ- and again by proposition [9] this implies that Q Jl^. □ 

Proposition 25 If P Q then P Q- 
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Proof. We denote with a^, bi, Ci, . . . 'fresh' signal names not occurring in the programs 
under consideration. We will rely on the signal names to extrude the scope of some signal 
names and on the signal names to monitor the internal transitions of the programs. 
We define a relation TZ: 

Pi n P2 if ut (Pi I O) i^t (P2 I O) for some t, O, 

where: t = ti . . . , t„, O = olti | ■ ■ ■ | a:^tn, {ai, . . . , a„,} n /n(Pi | P2) = 0. 

By definition, if Pi P2 then Pi TZ P2 taking t as the empty vector and O as the empty 
parallel composition. The purpose of the relation TZ is to enlarge the definition of contextual 
bisimulation so that some signal names t are at once restricted and observable thanks to 
the emission performed by O. We will will show that 7^ is a labelled bisimulation up to 
strong labelled bisimulation so that we have the following implications: 

Pi ~c P2 Pi 7^ P2 ^ Pi P2 ■ 

• We have seen in section 12.51 that an internal choice operator © is definable in the Sir- 
calculus. In order to simplify the notation, in the following we assume that Pi © P2 reduces 
to either Pi or P2 by just one r-transition. In reality, the reduction takes one r-transition 
to perform the internal choice, a second deterministic r-transition to select the right branch 
of the matching operator, and some garbage collection to remove signals that are under 
the scope of a restriction and cannot be received. The second transition and the garbage 
collection do not affect the structure of the proof and we will ignore them. 

• Assuming O = oiti | ■ ■ ■ | a^tn and a = ai, . . . , a„, we will repeatedly use a program 
P(a)[P] which is defined as follows: 

P(a)[P] = ai(ti).6r©(cr© 

02(^2) -^2 © (c^© 

anitn)X®ic;^®P)...) 

Next we assume Pi 71 P2 because ut (Pi | O) ^'^ (-P2 I O) for some t, O, and consider 
the conditions (LI — 4). 

(LI) Suppose Pi ^ Pi'. Then z/t (Pi \ O) ^ ut (P/ | O). By (PI), z/t (P2 \ O) ^ Q 
and ut {P[ I O) ~c Q. Note however that O cannot interact with P2 and its derivatives 
because the signal names a do not occur in (Pi | P2). Hence it must be that P2 =^ P2 and 
Q = ut (P2 I O). Then by definition of the relation TZ, we derive that P[ TZ P!^. 

(L2) Suppose Pi and Pi Pi' with t' = t'l, . . . , C. Let X = /n(Pi | P2). Let 
R = R{ai)[s{x).[x = z/t' v]xu{t'} (&n+i © {c^iTi ® O'))], where 

O Ct^^iti I ■ ■ ■ I Otn+m^rn 

Now we have: 

z/t (Pi I O) I P ^ z/t, t' (Pi' \ 0\0') 
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by a series of reductions where first R interacts with O to learn the names ti . . . , t„, then 
it interacts with Pi to read a value ut' v (note that the freshness of t' is checked with 
respect to both X and t), and finally it emits with O' the names t' extruded by Pi. We 
remark that in all the intermediate steps the program has the L-suspension property, thus 
condition {B2) applies and in particular the commitments on bi,Ci are observable. 

Next, we decompose this series of reductions in several steps and analyse how the 
program z/t (P2 \ O) \ R may match them according to the definition of contextual bisim- 
ulation. Suppose first 

z/t (Pi I O) I P^Z/ti {Ut2,...,tn (Pi I O) I (Cr©a2(t2)---)) 

The reduced program cannot commit on bi while it can commit on Ci. If i/t (P2 \ O) \ R 
has to match this reduction, then R must necessarily perform the input action and stop 
at the same point of the control (ci © 02(^2) ■ ■ ■ )• By this communication, the scope of 
the restricted name ti is extruded to R. The program O is composed only of emissions 
and therefore it cannot change. The program P2 may perform some internal actions but it 
cannot interact with O and R. 

If we repeat this argument n times, we conclude that ut (Pi \ O) \ R ^ ut (Pi | 
O I c;: © s{x) ■ ■ ■ ) and z/t (P2 I O) I P ^ z/t (P^ I O I c;: © s{x) ■■■) where P2 ^ P^. 
Now the first program performs a communication on s between Pi and the residual of R 
and, provided the emitted value has the expected shape z/t' v, it reduces to z/t,t' (P^ | 

O I Cn+i © O'). In order to match this transition, it must be that P2 p^' and the 

second program reduces to z/t, t' (P2' | O \ Cn+i © O'). Now if the first program moves to 
z/t,t' {P{ \ O \ O'), the second must move to z/t,t' (Pf | O | C) where P" 4> Pf and 

z/t,t' (Pi' \ \ 0') i^t,t' (Pf \ 0\ 0'). Since P2 ^ ■ ''''^^ ■ ^ Pf , we can conclude 

that P2 P2'" and P/ 7^ P2'". 

(L3) Suppose Pi ^ Pi'. We consider two subcases. 

(L3)[l] Suppose ^Pi \^L- Then, ^P{ 4^. By proposition El ^z/t (Pi | O) and ^z/t {P[ \ 
O) By proposition [2U -lut (P2 | O) JJ-l- Let us show that the latter implies -1P2 JJ-l. 
If P2 Jj-L, by proposition [9] there is a Q such that (P2 \ Q) ^ Q' and Q' |. Then we would 
have: 

z/t (P2 I O) I P(a)[Q] 4> z/t (P2 I O I g) ^ z/t Q' I O . 

Now if Q' I then ut Q' \ O I, and this contradicts the hypothesis that -iz/t (P2 | O) 
Thus P2 ^ P2, -(P2 I sv) and Pi {P2 \ sv). 

(L3)[2] Suppose Pi In this case, the commitments are observable. We define 

R = R{a)[sv] 

Then z/t (Pi | O) | P ^ z/t (Pi' \ \sv) and z/t (P2 | O) | P ^ z/t (P2 | O | sv). We note 
that z/t (Pi' I O I sf ) =L i^t (Pi I O) since Pi ^ P^. We have two subcases. 

(L3)[2.1] Suppose P2 ^ P^. Then P^ =l (P^ | st;) and therefore Pi' 7^ P^ up to =l. 
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(L3)[2.2] Suppose P2 ^ P^. Then P[ 7^ {P!^ \ sv) up to =l. 
(L4) Suppose (Pi I S) [ and (Pi | S) ^ P[. We consider 

Pi = P(a)[5] P2 = P(a)[5 I pause.O] 

By (CI), ut (Pi \0)\R, i^t (P2 I O) I Pi for i = 1, 2. Also 

z/t (Pi I O) I Pi ^ z/t (Pi I O I 5) i 

and 

i^t (Pi I O) I P2 ^ z/t (Pi I O I 5 I pause.O) {P[ \ O) . 

Then we must have: 

(1) z/t (P2 I O) I Pi ^ z/t (P^' I O I 5) i and z/t (Pi | O | 5) (P^' | O | 5). By 
definition of O and Pi this imphes that (P2 | S) ^ (P^' | S) and (P^' \ S) 

(2) z^t (P2 I O) I P2 ^ z^t (P^' I O I 5 I pause.O) ^ ut (P^ | O) and z^t (P/ | O) 

z/t (P^ I O). Again by definition of O we have that (P<^' \ S) ^ P^. □ 

8 Conclusion 

We have proposed a synchronous version of the vr-calculus which borrows the notion of 
instant from the SL model-a relaxation of the Esterel model. We have shown that the 
resulting language is amenable to a semantic treatment similar to that available for the vr- 
calculus. Retrospectively, we feel that the developed theory relies on two key insights: the 
introduction of the notion of L-suspension and the remark that the observation of signals 
is similar to the observation of channels with asynchronous communication. 
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